Wireless AP 1260 issue

thembsmoyo26 · ‎04-10-2013

We are having challenges with our new access points Cisco 1260, it drops connections after a couple of minutes I get the following errors

"Two TKIP Michael MIC failures were detected within 30 seconds on Dot11Radio0 interface. The interface will be put on MIC failure hold state for next 60 seconds."

"Interface Dot11Radio0, Deauthenticating Station Reason: Invalid MIC

Amjad Abdullah · ‎04-10-2013

This is usually due high interference/noise around.

A good solution is to avoid using TKIP and to use AES.

If your clients all support WPA2-AES then you can take that option. This will save you the headeache of TKIP MIC errors.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

thembsmoyo26 · ‎04-16-2013

changed encryption mode to AES-CCM and users are connected and no connections are being dropped, the problem is this is contradicting company global standards on Wireless AP, we have other access point which are working fine with TKIP encryption

please assist in solving this problem without changing encryption mode

George Stefanick · ‎04-10-2013

Tkip countermeasure is part of the 802.11 standard. If a client send 2 bad mics in a 60 second period you will see the alert.

Ways to work around this ..

Move to aes and don't use tkip or turn off countermeasure.

Is this ap controlled by a wlc ?

Sent from Cisco Technical Support iPhone App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

George Stefanick · ‎04-10-2013

Amjad

Lol I'm a few seconds behind u this morning !

Sent from Cisco Technical Support iPhone App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Amjad Abdullah · ‎04-10-2013

Lol. ya. First time I am quick enough.

Rating useful replies is more useful than saying "Thank you"

thembsmoyo26 · ‎04-10-2013

i have tried to isolate the device to avoid any noise or interference but still it drops connections, this access point is managed by a NPS server and users are managed by GPO, so if setting don’t match they fail to connect as such changing to AES hasn’t worked yet as users fail to connect.

i have also tried changing timers and disabling them thus the client hold off time, EAP or MAC reauthentication interval, TKIP MIC failure holdoff time and still its dropping connections

we have other access points thus the 1240AG series and they are working as expected but our new 1260 Series are the issue

George Stefanick · ‎04-10-2013

Can you post the config for your 1240s. Little confused on your statement about NPS and chnaging the EAP timers. Are you using EAP as your security ?

Post the 1240 config and lets start from there..

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Amjad Abdullah · ‎04-10-2013

'''snip'''

Error Message

DOT11-TKIP_MIC_FAILURE_REPEATED: Two TKIP Michael MIC failures were detected

within [number] seconds on [interface] interface. The interface will be put on MIC

failure hold state for next [number] seconds

Explanation Because MIC failures usually indicate an active attack on your network, the interface will be put on hold for the configured time. During this hold time, stations using TKIP ciphers are disassociated and cannot reassociate until the hold time ends. At the end of the hold time, the interface operates normally.

Recommended Action Michael MIC failures usually indicate an active attack on your network. Search for and remove potential rogue devices from your wireless LAN. If this is a false alarm and the interface should not be on hold this long, use the countermeasure tkip hold-time command to adjust the hold time

'''snip'''

http://cisco.com/en/US/docs/ios/12_4t/wlan/configuration/guide/wlcgerr.html

so, if you insist to use TKIP and not to move to AES, you can try to decrease the tkip holdtimer by thte command:

countermeasure tkip holdtime

by default it is 60 seconds. you can lower it to 0 or a few seconds.

You need to note the cause could also be due an attck going on around. So, you need to look if there is any attack source.

Regards,

Amjad

Rating useful replies is more useful than saying "Thank you"

thembsmoyo26 · ‎04-10-2013

below is the config on the 1240s

uilding configuration...

Current configuration : 2508 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname xxxx2

!

enable secret 5 $1$cDdz$2K8EckCSDA6LtLutI5LwS0

!

aaa new-model

!

aaa group server radius rad_eap

server 10.10.10.1 auth-port 1645 acct-port 1648

!

aaa group server radius rad_mac

!

aaa group server radius rad_acct

!

aaa group server radius rad_admin

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa group server radius rad_eap1

server 10.10.10.1 auth-port 1645 acct-port 1648

!

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authentication login eap_methods1 group rad_eap1

aaa authorization exec default local

aaa accounting network acct_methods start-stop group rad_acct

!

aaa session-id common

!

dot11 ssid ITSWireless

authentication open eap eap_methods1

authentication key-management wpa

!

power inline negotiation prestandard source

!

username xxxx password 7 032752180500

username xxxx2 privilege 15 password 7 0704314149584B564347

!

bridge irb

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption mode ciphers tkip

!

ssid ITSWireless

!

channel 2417

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio1

no ip address

no ip route-cache

!

encryption mode ciphers tkip

dfs band 1 3 block

channel dfs

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface BVI1

ip address 10.10.10.12 255.255.254.0

no ip route-cache

!

ip default-gateway 10.10.10.26

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip radius source-interface BVI1

radius-server attribute 32 include-in-access-req format %h

radius-server host 10.10.10.1 auth-port 1645 acct-port 1648 key 7 095C4F1A0A0E120B2B5D5679

radius-server vsa send accounting

bridge 1 route ip

!

line con 0

line vty 0 4

!

end

George Stefanick · ‎04-10-2013

Can you send the 1260 config over as well.

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

George Stefanick · ‎04-10-2013

After some searching I havent come across anything. Are you on the lastest autonmous code ? Have you opened a ticket with TAC ? Can you move to AES, its a pain the in the rear I know ..

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

thembsmoyo26 · ‎04-10-2013

config of the 1260 below

Building configuration...

Current configuration : 2749 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname xxxxx

!

logging rate-limit console 9

enable secret 5 $1$uUGZ$cR.8a0qVd8jKWa7J/Yae4/

!

aaa new-model

!

aaa group server radius rad_eap

server 10.10.10.1 auth-port 1645 acct-port 1646

!

aaa group server radius rad_mac

!

aaa group server radius rad_acct

!

aaa group server radius rad_admin

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa group server radius rad_eap1

server 10.10.10.1 auth-port 1645 acct-port 1646

!

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authentication login eap_methods1 group rad_eap1

aaa authorization exec default local

aaa accounting network acct_methods start-stop group rad_acct

!

aaa session-id common

!

dot11 syslog

!

dot11 ssid ITSWireless

authentication open eap eap_methods1

authentication key-management wpa

!

username xxxx password 7 072C285F4D06

username xxxx privilege 15 password 7 046B2B151C2A1F57584B56

!

bridge irb

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption mode ciphers tkip

!

ssid ITSWireless

!

countermeasure tkip hold-time 1

antenna gain 0

speed basic-1.0 basic-2.0 basic-5.5 basic-11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0

channel 2412

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio1

no ip address

no ip route-cache

!

encryption mode ciphers tkip

antenna gain 0

dfs band 1 3 block

channel dfs

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface GigabitEthernet0

ip address 10.10.10.3 255.255.254.0

no ip route-cache

duplex auto

speed auto

no keepalive

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface BVI1

ip address 10.10.10.2 255.255.254.0

no ip route-cache

!

ip default-gateway 10.10.10.26

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip radius source-interface BVI1

snmp-server community defaultCommunity RW

radius-server attribute 32 include-in-access-req format %h

radius-server host 10.10.10.1 auth-port 1645 acct-port 1646 key 7 08116C5D1A12560E43595F

radius-server vsa send accounting

bridge 1 route ip

!

line con 0

line vty 0 4

!

end

thembsmoyo26 · ‎04-10-2013

i havent logged to TAC and my other 1240s AP are working fine, so moving away from standard will be an issue @ the firm, i have changed the TKIP MIC Failure holdoff time to 1sec and tried disabling it and still connections are dropped.

George Stefanick · ‎04-10-2013

Face value it looks good. You said you tried disabling it and you still see connect drops ? That should negate the bad MIC and not drop the conenction.

What code is the 1260 on ?

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________